Data Act: the action plan for businesses and a focus on health

Entered into force on September 12, 2025, the Data Act constitutes a key step in European data regulation. It responds to a simple observation: connected objects and associated services produce a mass of information that is often monopolized by cloud giants and manufacturers, to the detriment of users and other actors.

‍

The regulation aims to rebalance this balance of power by guaranteeing everyone the right to access, consult and share the data generated freely. By promoting transparency and interoperability, it pursues two major objectives: to ensure a more equitable distribution of the value created and to remove the barriers to their circulation.

‍

This article identifies the key actions to anticipate, with a particular focus on the health sector.

‍

1. Which companies are affected by the Data Act?

‍

The Data Act broadens the scope of regulation by introducing the concept of data holders, i.e. entities that control the data generated or extracted from connected objects and/or related services. The three main types of actors concerned by the Data Act are as follows:

‍

• Manufacturers of “connected products” to goods equipped with sensors or integrated software. These include smart cars, medical or fitness devices, smart homes, agricultural machines, industrial robots, etc.

‍

• Publishers of software called “related services” allowing the exploitation of the data collected by these connected products through applications or interfaces, such as fitness, home automation or industrial control applications. Their role is central in exploiting the information generated by sensors — whether it is to optimize energy consumption or to measure the environmental impact of a washing cycle.

‍

• Digital infrastructure providers (cloud hosts, SaaS software) who store, process, and organize this data.

‍

Beyond data holders, the Data Act also targets users — businesses or individuals — who own or rent a connected product and must be able to access the data generated.

‍

2. What are the four new obligations imposed on data holders by the Data Act, and how can they transform them into concrete actions?

‍

Allow access to data for users of connected products: these users must be able to access, directly or via a third party, their data, free of charge, in a secure manner and in a structured and machine-readable format (Chapter 2 of the Data Act). This requirement will apply to connected products and related services placed on the market after September 12, 2026.

‍

👉 Examples of actions: mapping the data generated by products and services, providing information to users on this data, setting up technical interfaces (APIs), reviewing contracts with users to incorporate these new rights and how to exercise them.

‍

Allow the transfer and portability of data between companies: if the user requests it, a law or regulation requires it, the data generated by connected products or related services must be transferred to another company (Chapters 2 & 3 of the Data Act). For example, an after-sales service company that repairs smartwatches from different manufacturers and needs access to data to repair a user's watch.

‍

👉 Examples of actions: prepare a data portability plan, draft a model data transfer contract governing data flows without abusive clauses, provide reasonable royalty models, put in place technical means to secure these data transfers (API or data download)

‍

Sharing data with public bodies: Public organizations can ask data holders to share data with them in case of exceptional and motivated need, such as a pandemic, disaster, cybersecurity (Chapter 5).

‍

👉 Examples of actions: establish internal procedures for responding to requests and define confidentiality safeguards.

‍

Interoperability and change of IT provider: Cloud providers and SaaS software publishers will allow their B2B and B2C customers to change providers without service interruption or data loss (Chapter VI). The objective is to rebalance relationships between suppliers and users, by eliminating exit fees, contractual penalties or interminable procedures, which hitherto hampered the change of service providers. Users should be able to migrate to another provider while maintaining their data and associated functionality.

‍

👉 Examples of actions: review customer contracts in order to integrate practical transfer procedures, implement technical solutions ensuring smooth migration, and propose open interfaces capable of exporting data in standard, commonly used and machine-readable formats.

To protect the business secret and intellectual property of data holders, the Data Act specifies that the entity accessing the data cannot access data protected by intellectual property rights or constituting a trade secret of the service provider (articles 4, 5 and 30), nor develop a competing product, nor use this data for other purposes (articles 4 and 6). The regulation also provides for measures to punish the illegal access or use of data by a user or a third party (art. 11).

Finally, it is expected that the provision of data may give rise to reasonable financial compensation (article 9).

‍

3. Who are the real beneficiaries of the Data Act?

‍

The Data Act generates benefits at several levels.

For the undertakings, it opens the door to new business models, stimulates innovation and reduces dependence on digital giants. For the users, it brings more transparency and control: everyone can finally use, share or transfer their own data, strengthening trust and the quality of services. As for public organizations, they gain strategic access to data in the event of a crisis, a valuable asset to better anticipate and react.

‍

4. Concrete case/practical case: medical devices

‍

The health sector illustrates the ambitions and limits of the Data Act. On the front line are the manufacturers of connected medical devices — patient telemonitoring tools, smart watches, imaging devices — the related service providers who use this data, as well as the health facilities likely to access it in the interests of patients.

‍

The opportunities are major: easier access to data from connected devices, better collaboration between public and private actors, the acceleration of research and improvement of the quality of care. This dynamic is thus part of the creation of theEuropean Health Data Space, intended to strengthen prevention, innovation and cross-border cooperation between actors in the world of health in the European Union.

‍

However, these promises come with major challenges: it is necessary to ensure reinforced protection of sensitive data, to secure transfers, to ensure that uses remain strictly in accordance with the intended purposes and to permanently maintain transparency as well as the consent and control of patients over their data.

‍

***

‍

To find out more about the European regulation of patient health data, we invite you to consult our article: ” Patient health data: regulation is gaining momentum in France and Europe ”, available on our blog.

‍

The firm's IT/Data team supports you to secure your practices and integrate these requirements into your projects. Contact us today to anticipate regulatory changes and bring your tools into compliance.

‍

Clémentine Beaussier, partner lawyer at Squair